Fully Homomorphic Encryption: Overview and Cryptanalysis

Technische Universität Darmstadt Department of Computer Science Cryptography and Computeralgebra Diploma Thesis July 2011 Fully Homomorphic Encryption: Overview and Cryptanalysis Patrick Schmidt Technische Universität Darmstadt Department of Mathematics Supervised by Prof. Dr. Johannes Buchmann Dr. Richard Lindner Michael Schneider

Acknowledgements First of all, I would like to thank Prof. Johannes Buchmann for giving me the opportunity to write my thesis under this topic and gain knowledge in the field of fully homomorphic schemes and moreover in the area of lattices. Furthermore, many thanks go to my two supervisors Dr. Richard Lindner and Michael Schneider who offered and spent much time answering me all my investigating questions and guiding me in the right direction. In addition I would like to thank all people that supported my work on this thesis by proofreading it, finding spelling mistakes and logical errors as well as supporting me in improving the structure of my thesis and its fluent reading; as there are: Richard Frankland, Maina Olembo, Denise Demirel, and Dr. Melanie Volkamer. Lastly, I thank all whom I have forgotten to mention before! Without your contributions this work would not be what it actually is. Warranty I hereby declare that the content of this thesis is the direct result of my own work and that any use of published or unpublished material in this thesis is fully and correctly referenced. Date: July 14th, 2011 Signature: P. Schmidt iii

Contents Introduction 1 I. Progress on Homomorphic Encryption and Signature Schemes 1. Preliminaries 3 1.1. Lattices..................................... 4 1.2. Computational Problems............................ 6 1.3. Security Models................................. 8 2. Homomorphic Encryption Schemes 13 2.1. Lattice-Based Encryption Schemes...................... 13 2.2. Integer-Arithmetic Encryption Schemes................... 24 3. Homomorphic Signature Schemes 29 3.1. Additional Work to Homomorphic Signature Schemes........... 32 II. Cryptanalysis of the Gentry-Halevi FHE Scheme 4. The Gentry-Halevi Scheme 33 4.1. Brief Recall of the Construction........................ 33 4.2. Parameter Selection.............................. 34 5. Attacking the Gentry-Halevi Scheme 35 5.1. Attack Methodology and Strategies...................... 35 5.1.1. Strategy I LLL........................... 35 5.1.2. Strategy II Sublattice Attack................... 36 5.1.3. Strategy III BKZ.......................... 36 5.2. Practical Considerations............................ 36 5.2.1. Preparatory Work........................... 36 5.2.2. Post-Processing a Strategy...................... 37 5.3. Results...................................... 39 5.3.1. Strategy I (LLL)............................ 39 5.3.2. Strategy II (Sublattice Attack).................... 42 5.3.3. Strategy III (BKZ)........................... 43 Conclusion 47 A. The Code 55 v

Introduction Cryptography has a longstanding history the Egyptians in the year 3000 BC are believed to have been the first humans to use encryption, albeit a very simple form of it, but in previous centuries it simply was known as the science of encryption. Since its early years, cryptography and human kind s understanding of it have undergone a great development, nowadays consisting of far more areas than just encryption. Today, cryptography is more often used in daily life than a normal (end)user in the real world is aware of, e.g. in smartcards, USB-tokens, car or door keys, home wifi networks, mobile communication (using a cellular phone) and many more. Perhaps the most prominent example for the usage of cryptography is the internet, with its many applications and transactions. One can think of such transactions as online-banking, electronic/online voting, e-mailing or using social networks. In most and hopefully all of these examples cryptography in the sense of encryption plays a huge role in ensuring confidentiality of the user s data and credentials like passwords, IDs, PINs, TANs, etc. Contrary to these instances, in some areas one explicitly wants to allow other people to perform some set of (permitted) applications on ones data without having access to the data in plaintext. One example is the delegation of computations according to [19] or [10], in which the delegator wants to outsource the computation of some function on many inputs to a worker and later maintain the correct result. A second example for this is electronic voting (which could be seen as a special case of delegation of computation) like in [15] or [45], where one would like the election authorities to be able to count the votes and present the final results, but dislikes the idea that individual votes are first decrypted and afterwards tallied. Two final examples are multiparty computations and commitment schemes as reported in [41]. In the setting of multiparty computations one wants different parties to jointly compute some function without revealing their inputs to each other, and for commitment schemes one can think of auctions where the auctioneer wants to assure that the offers are not publicly known in the bidding phase while at the same time ensuring that no one is able to repudiate their own offer. In the above settings, as well as in many others, a way to accomplish the goal of computing on encrypted data is needed. With homomorphic encryption one can assure that performing some operations on encrypted data is possible. To achieve the aim in the example of electronic voting, the election authorities add the encrypted votes (thus receiving the final result encrypted) and then only have to decrypt the computed ciphertext to obtain the final result. For delegation of computation, the delegator hands the function f and the encrypted inputs to the worker, and the worker returns the encrypted result. For the other examples similar operations have to be performed. A various number of homomorphic schemes have already been presented in the last decades: unpadded RSA [43] or the cryptosystem of ElGamal [16] and the cryptosystems of Goldwasser-Micali [27], Benaloh [4] or Paillier [40]. These examples contain additive-only or multiplicative-only homomorphic encryption schemes as well as addi- 1

tively homomorphic encryption schemes which support a very limited number of multiplications. This last type of scheme is able to homomorphically evaluate an arbitrary number of additions but only a small number of multiplications, i.e. such schemes can evaluate polynomials up to some small degree d but are unable to evaluate polynomials of a larger degree. For further examples of homomorphic encryption schemes see [20]. Depending on the function which shall be computed, miscellaneous complex operations (consisting of additions, multiplications, etc.) have to be evaluated homomorphically, e.g. encrypted queries to a search engine or searching on encrypted data (in a database). But the small number of homomorphically evaluable multiplications drastically limits the previously mentioned schemes. The question whether it is possible to construct a fully homomorphic encryption scheme, i.e. a scheme which supports the computation of arbitrary functions on encrypted data (with no limit on the number of multiplications), in the cryptographic community was long believed to be a holy grail. Not before 2009, Gentry theoretically solved this problem by presenting his fully homomorphic encryption scheme (FHE) based on ideal lattices in [20]. The goal of this thesis is twofold: Firstly we give an overview of the progress and results in the field of fully homomorphic encryption and signatures after the breakthrough of Gentry, and secondly we cryptanalyse an implementation of a FHE scheme to contribute experimental results concerning the security issues of such schemes. In the first part, we recapitulate Gentry s theoretical achievements in [20] to obtain a FHE scheme and then list a number of improvements to his work as well as further proposals from [47], [24], [39], [49], [48], [14], and [12] for lattice-based schemes and from [50] and [13] for integer-arithmetic schemes. In addition, we highlight the link between all these papers as they are the most common approaches to achieve a fully homomorphic encryption scheme. Furthermore, we provide an overview over the results in [7] and [6] on the field on fully homomorphic signatures schemes which is fairly new. For the second part we cryptanalyse the, to us, most efficient implementation of a fully homomorphic encryption scheme, presented by Gentry and Halevi in [24]. In detail, we concentrate on one of the two underlying (theoretical) hardness problems which is also suitable for, and used, in other cryptographic encryption schemes (not fully homomorphic ones). We analyse and estimate the robustness of the security parameters presented by the authors of [24] by applying some strategies to break the proposed scheme. We measure the running times and also the success rates of the chosen strategies and compare their effectiveness. 2

Part I. Progress on Homomorphic Encryption and Signature Schemes 1. Preliminaries We start by giving definitions that will be used throughout this paper and to which we will eventually refer. The definitions are split into three parts: There is the general part for (ideal) lattices, followed by the part of computational problems and lastly the part containing security models for (fully) homomorphic encryption and signatures. General Notations. With N, Z, Q, R we denote natural numbers (with zero), integers, rationals and reals, respectively; with K + we denote {x K : x > 0} and with K n we mean the usual n-dimensional vector space resp. module over K {N, Z, Q, R}. K p denotes K/(pK) and for prime p we write it as F p, since F p is (in this case) a field with p elements. We also consider F 2 = {0, 1}. Vectors are denoted with small letters (a, b,...) and we think of vectors as columns. We denote matrices with capital letters (A, B,...) and the set of all (m n)-matrices over K with K m n. A T stands for the transpose of the matrix A. We think of matrices as ordered sets of column vectors. v p denotes the l p -norm of the vector v which for a real p 1 is defined as v p := n p v i p. The frequently used norms will be the maximum norm v := max i=1,...,n { v i } and the Euclidean norm v 2 = n i=1 v i 2 corresponding to the intuitive notion of the length of the vector v in a Euclidean space. For a matrix A we write A p for max i=1,...,n { a i p } where a i denotes the i-th column of A. With t we mean the rounding of t to the nearest integer, as well as t and t denote the rounding up of t to the next integer and rounding down, respectively. (This in particular for a (possibly negative) real t means that t = sign(t) t, and similar for rounding up and down.) If we write t mod p, we mean the unique number t in [ p/2, p/2) Z such that t = kp + t for some integer k. (When t shall denote the unique number in {0,..., p 1}, we will address this separately.) With x := a or x a we assign the value a to (the variable) x, with x R A the assignment has some randomness involved (according to A respectively the right-hand side of the assignment), with x R A we uniformly choose x from the set A on the right, and for comparison in algorithms we use x == a if needed so as not to get mixed i=1 3

1 PRELIMINARIES up with the assignment x := a. The equation sign = is used in its full meaning in mathematics (e.g. containing assignments and comparisons, its actual use being clear from the context). A last notation we want to introduce is the Big O notation: With f O(g) or f = O(g) we mean 0 lim sup x f(x)/g(x) <, with f o(g) or f = o(g) we mean lim x f(x)/g(x) = 0, f Ω(g) or f = Ω(g) denotes g O(f), f ω(g) or f = ω(g) is the corresponding g o(f), and finally f Θ(g) or f = Θ(g) means both f O(g) and g O(f). Other notations concerning the definitions below will be introduced there. 1.1. Lattices General lattices. A lattice L is a discrete abelian subgroup of R n. Since this definition is too vague, we would like to have a better natural handle for the lattice L. A basis B := (b 1,..., b d ) for the lattice L consists of d n linearly independent vectors b i with L = L(B) := {Bx : x Z d }, i.e. L is the set of all integer combinations of vectors in B. The number d 1 is independent of the given basis for the lattice L, thus being a lattice constant. It is called the dimension of L and denoted d = dim(l). (The independence of d is due to the fact that for d 2 there exist infinitely many bases for L and a particular basis B can be transformed into any other basis B via B = B T for a (unimodular) matrix T GL d (Z) := {A Z d d : det(a) = 1}.) A lattice is of full-rank if d = n. The determinant of a lattice L with basis B is given by det(l) := det(b T B). It also is a lattice constant. For full-rank lattices there is a short version for the determinant, i.e. det(l) = det(b). A geometric interpretation of the determinant is the volume of the parallelepiped P (B) := {Bx : x [ 1/2, 1/2) d }. Albeit the shape of P (B) changes (since P (B) depends on the shape of B), the volume of P (B) is the same for all bases B of L. Although we stated above that there exist infinitely many bases for a lattice with dim(l) 2, there are differences between them. A good basis consists of short and nearly orthogonal vectors whereas a bad basis does not fulfill any of these two requirements. We will not go into detail what short here means, but in literature the Hermite Normal Form (HNF) of a basis is thought of as a bad basis. A matrix B is in Hermite Normal Form if B is an upper triangular matrix, b ii > 0 for i = 1,..., n and b ii > b ij 0 for all j = i + 1,..., n. The HNF of a basis B, denoted HNF(B), can be easily computed from B via HNF(B) = B U for a unimodular matrix U GL d (Z) denoting (invertible) column operations. By t mod B for a vector t we denote the unique vector t P (B) with t t L; t can be computed efficiently via t = t B B 1 t if L = L(B) is a full-rank lattice. The i-th successive minimum λ i (L) is defined as the radius of the smallest sphere which contains i linearly independent vectors of L. The value λ 1 (L) is also called minimal distance of L. The dual lattice or reciprocal lattice L of a lattice L is defined as L := {y span(l) : x L : x, y Z}, where, denotes the (standard) scalar product and span(l) := {Bx : x R n } for L = L(B). It holds that det(l) det(l ) = 1, and for full-rank lattices L = L(B) we get a basis B for L via B = (B 1 ) T. Furthermore, let Λ q (A) denote the set {x Z m : Ax 0 mod q}. 4

1.1 Lattices Ideal lattices. For the introduction of ideal lattices, we use another approach than for general lattices. Therefore, consider the (polynomial) ring Z[x] in one variable. An ideal I of a ring R (with unity) is a subset which is additively closed and also closed under multiplication with elements of R, i.e. for elements i, j I and r R we have i+rj I. We define (a 1,..., a n ) to be the ideal generated by elements a 1,..., a n R, i.e. k (a 1,..., a n ) := r j a ij : r j R, i j {1,..., n}, k n. j=1 The elements a 1,..., a n are then called generators of I, and for n = 1 the ideal I is called principal ideal. Now, we define the (polynomial factor) ring R := Z[x]/(f(x)) for a polynomial f(x) Z[x] of degree n. R bijectively corresponds to Z n and each element v in R can be viewed as a polynomial v(x) = v 0 + v 1 x +... + v n 2 x n 2 + v n 1 x n 1 of degree n 1 or as a vector v = (v 0, v 1,..., v n 2, v n 1 ) T. By simply writing v, we simultaneously mean both. The ideal I = (v) in R then naturally corresponds to a lattice in Z n. By abuse of notation, we will write I for this lattice which is called an ideal lattice. The basis for I is B I := {v i := v x i mod f(x) : i = 0,..., n 1} and is called rotation basis. For an ideal I, we can also define a fractional ideal I 1 := {y K : x I : x y R}, where K is a field containing R, e.g. for R = Z[x]/(f(x)) we have K = Q[x]/(f(x)). So, I 1 is not necessarily a subset of R, but I 1 again is an ideal (hence, the definition of fractional ideal makes sense). (In general, the formal definition of a fractional ideal is much more complex, but the definition above is suitable for our needs.) A (fractional) ideal I is called invertible if there exists another (fractional) ideal J with IJ = R, where IJ = { n i=1 a ib i : a i I, b i J, n N + } is the product of I and J. If we have I = (v) then I 1 = (1/v), where 1/v is computed in K; for multiple generators v 1,..., v n of I, its inverse ideal is I 1 = n i=1 (1/v i). Two ideals I and J are called relatively prime or co-prime if I + J R. We sometimes call the determinant of an ideal lattice I its norm, denoted nm(i), and for I = (v) we have nm(i 1 ) = nm(i) 1. We introduce the (discrete) Gaussian distribution and the smoothing parameter, which have become more and more important in past years: For any s R + the Gaussian distribution (in R n ) centered around c R n is defined as ρ s,c, (x) := exp( π x c 2 /s 2 ) for all x R n. The parameter s is called the standard deviation of the distribution. (When it is clear which norm is used, we will write ρ s,c ; if c = 0, we just write ρ s for ρ s,c.) Besides this continuous version there is also the discrete Gaussian distribution over L, defined as D L,s,c (x) := ρ s,c(x) ρ s,c (L) for all x L and ρ s,c (L) := y L ρ s,c(y) for a set L (which will be a lattice in this paper). If c = 0, we will omit it in D L,s,c and just write D L,s. According to most definitions in literature, the smoothing parameter η ε (L) is defined here as follows: For a lattice L and ε R + we have η ε (L) := min{s R + : ρ 1/s (L \ {0}) ε}. 5

1 PRELIMINARIES The expansion factor γ of a ring R is defined as γ := γ(r) := sup r 1,r 2 R { r1 r 2 r 1 r 2 If the ring R is obvious or not necessary to mention, we will omit it and just write γ. For two polynomials f(x), g(x) the resultant res(f, g) is defined as res(f, g) := (x y) (x,y):f(x)=0=g(y) which for a separable polynomial f(x) is the same as res(f, g) = y:g(y)=0 f(y). 1.2. Computational Problems Now we define the used computational problems, on which the security of the proposed homomorphic encryption and signature schemes relies. We will write dist(l, t) for min y L { t y }. Although there are a lot of different lattice problems, we will only consider the most important for this work. The first one is a problem in general lattices, whereas the following problems will occur in ideal lattices. Definition 1.1 (Small Integer Solution Problem (SIS)). Given positive integers m, n Z +, a positive real β R +, a prime q and A Zq n m, where A is chosen from a distribution negligibly close to uniform over Z n m q, find v Λ q (A) \ {0} with v β. This definition corresponds to one of Micciancio and Regev (cf. [37]). Roughly speaking, the SIS problem asks to find a small integral linearly dependent combination of the columns of A (modulo q). For a definition of negligible see Definition 1.16. Definition 1.2 (Ideal Shortest Independent Vector Problem (Ideal SIVP)). Given a ring R, an ideal I in R with basis B I and a positive real d 1, find an independent set B in I with B d λ n (I). The ideal SIVP is a natural translation from the d-sivp in lattices, which asks to find n linearly independent vectors v 1,..., v n L with the condition max i=1,...,n v i d λ n (L). The first definition of the SIVP, to our knowledge, appeared in the work of Ajtai ([1], problem (P3)) in a slightly different manner to both notations before: Ajtai formulated to find a basis with the condition above. Definition 1.3 (Ideal Membership Problem (IMP)). Let R be a ring, I an ideal in R and Sample I an algorithm that efficiently samples I. The challenger randomly chooses a bit b R {0, 1}, and sets x R Sample I (R) for b = 0 and x R R otherwise. Given (x, R, Sample I ), find b. In particular, this means to decide if x is an element of the ideal I. }. 6

1.2 Computational Problems Definition 1.4 (Inner Ideal Membership Problem (IIMP)). Let R be a ring, I an ideal in R with basis B I, IdealGen an algorithm that samples two bases of an ideal in R and s R + a positive real. The challenger generates (BJ sk, Bpk J ) R IdealGen(R, B I ) and randomly chooses a bit b R {0, 1}. For b = 0 it sets x R D I,s, otherwise x R D R,s. At last, it sets t = x mod B pk J. Given (Bpk J, t), find b. This problem is like the IMP in the sense that one wants to know whether x is an element of the (inner) ideal I, but where the I-IMP is disturbed by the (outer) ideal J. Definition 1.5 (Ideal Coset Problem (ICP)). Let R be a ring, I an ideal in R with basis B I, IdealGen an algorithm that samples two bases of an ideal in R and Sample an algorithm which efficiently samples R. The challenger randomly chooses a bit b R {0, 1} and generates (BJ sk, Bpk J ) IdealGen(R, B I). For b = 0 it sets r R Sample(R) and t = r mod B pk J, otherwise t R R mod B pk J. Given (t, Bpk J ), find b. Definition 1.6 (Decisional Bounded Distance Decoding Problem (DBDDP) for Ideal Lattices). When the ICP is instantiated with a polynomial (factor) ring R = Z[x]/(f(x)) and the algorithm Sample efficiently samples from Z n R (for monic polynomial f(x) of degree n), the ICP is called DBDDP (in a version for ideal lattices). Definition 1.7 (SplitKey Distinguishing Problem (SKDP)). Let KeyGen, SplitKey be algorithms and (sk, pk) R KeyGen. The challenger randomly chooses a bit b R {0, 1}. For b = 0 it sets (sk, T ) R SplitKey(sk, pk), otherwise (sk, T ) R SplitKey(, pk) for some special symbol. Given (T, sk, pk), find b. The four problems IIMP, ICP, DBDDP and SKDP were introduced by Gentry in [20] and previous works. The ICP is said to be a fairly natural decisional version of the closest vector problem ([21]) in concrete terms. The last type of problems are problems on (integer) numbers, which can be adapted to a one-dimensional lattice: One shall find an approximate greatest common divisor (gcd) for some given numbers or a (sparse) subset in a set of numbers that sums up to a given number. The definitions are as follows: Definition 1.8 (Approximate-GCD Problem (AGCDP)). Given k numbers y 1,..., y k chosen according to the distribution Dist γ,ρ (p) := {choose q R Z [0, 2 γ /p), r R Z (2 ρ, 2 ρ ), output x = pq + r} for an odd positive integer p Z +, find p. The number p is called the (hidden) approximate-gcd of the given numbers y 1,..., y k, and the values γ, ρ define the maximal (bit)length of q, r. Definition 1.9 (Sparse Subset Sum Problem (SSSP)). Let s, t, q Z + be positive integers. The challenger randomly chooses a bit b R {0, 1}. For b = 0 it generates T as a set of t integers a 1,..., a t with a i R [ q/2, q/2) and the existence-constraint of S {1,..., t} with S = s and i S a i = 0 mod q; otherwise it generates T without the constraint. Given T, find b. 7

1 PRELIMINARIES This definition is the one for the decisional version of the subset sum problem in literature, the sparsity of the problem occurring when the parameters t, s are set according to those of Gentry in [20], Section 11. If one is asked to not just decide if a subset S exists, but rather to find and output S, the problem is called search SSSP. 1.3. Security Models This subsection is intended to give the definitions for the analysis of the security of the schemes presented later. Homomorphic Encryption Definition 1.10 (Homomorphic Encryption Scheme). A homomorphic encryption scheme consists of the following four algorithms: KeyGen(λ). On input the security parameter λ, this randomised algorithm outputs a tuple (sk, pk) consisting of the secret key sk and public key pk. Encrypt(pk, π). On input a public key pk and a plaintext π, this randomised algorithm outputs a ciphertext ψ. Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ, this algorithm outputs the corresponding plaintext π. Evaluate(pk, C, Ψ). On input a public key pk, a circuit C with t inputs (of the set C of allowed circuits) and a set Ψ of t ciphertexts ψ 1,..., ψ t, this (possibly randomised) algorithm outputs a ciphertext ψ. So, a homomorphic encryption scheme consists of all algorithms of a conventional public key encryption scheme and an extra one. The correctness-condition for the conventional part of a homomorphic encryption scheme is identical to the one for a (non-homomorphic) public key encryption scheme. Because of simplicity and size, we will give a rather informal explanation of the Evaluatealgorithm, an informal definition for fully homomorphic encryption (FHE) schemes and defer the detailed definitions to the references. The additional algorithm Evaluate roughly speaking is supposed to do the following: If ψ i is a ciphertext corresponding to the plaintext π i for i = 1,..., t and Ψ = (ψ 1,..., ψ t ), then Evaluate(pk, C, Ψ) shall return a ciphertext ψ corresponding to the plaintext C(π 1,..., π t ) for a circuit C with t inputs (cf. Figure 1). A homomorphic encryption scheme is said to correctly evaluate C (a set of circuits), if the correctness-condition on the algorithm Evaluate from above holds for all circuits C C. Definition 1.11 (Fully Homomorphic Encryption). We call a homomorphic encryption scheme fully homomorphic, if it correctly evaluates all circuits and the size of its decryption algorithm (as a circuit) is bounded by some (fixed) polynomial in the security parameter. 8

1.3 Security Models sk Ψ pk C sk π 1 Dec ψ 1 π 2. Dec. ψ 2. π t Dec ψt ψ t C Evaluate ψ Dec π C π 1 π 2. π t Figure 1: An illustrative view on the Evaluate-algorithm Remark. The size-constraint on the decryption algorithm excludes trivial schemes in which Evaluate simply outputs (C, Ψ) and Decrypt is adapted to first decrypt the single components of Ψ and then apply the circuit C to the decrypted parts. Now, we come to the definitions concerning the security of the schemes. Security Definitions for Homomorphic Encryption We consider games as the right purpose to introduce the notion of security which is covered by the definitions then. We start by defining the games for CCA2-, CCA1- and CPA-security for a homomorphic encryption scheme E. Definition 1.12 (Game Hom-CCA2-IND E ). Let P denote the plaintext space and C the ciphertext space, which in the case of a homomorphic encryption scheme E is supposed to be larger since C is the support of Evaluate and not just the support of Encrypt as for a conventional public key encryption scheme. Setup. The challenger B generates a tuple (sk, pk) R KeyGen(λ) and gives the public key pk to the adversary A. Query-Rounds. A sends decryption-queries about ciphertexts ψ i of its choice to B. The challenger answers with the output of Decrypt(sk, ψ i ). The adversary A is allowed to request decryption-queries even though it may have received the challenge from B. Challenge. The adversary A picks a circuit C with t inputs (t being polynomial in the security parameter), two plaintext tuples π i := (π1 i,..., πi t), i = 1, 2, of its choice and sends π 0, π 1 to B. The challenger randomly chooses a bit b R {0, 1}, computes Ψ := (ψ1 b,..., ψb t ) with ψj b R Encrypt(pk, πj b ) and sends ψ := Ψ to A. (Note that B does not have to compute ψ as Evaluate(pk, C, Ψ) since A can do this step on its own because only public values are involved.) Guess. A sends a bit b {0, 1} to B. Definition 1.13 (Game Hom-CCA1-IND E ). The game for CCA1-security is the same as the game for CCA2, except that the adversary is allowed to make queries only before the 1 challenge. 9

1 PRELIMINARIES Definition 1.14 (Game Hom-CPA-IND E ). The game for CPA-security omits the queryrounds of the CCA2/CCA1-games. The rest remains the same. Except for the challenge phase, the three defined games Game Hom-CCA2-IND E, Game Hom-CCA1-IND E and Game Hom-CPA-IND E equal the ordinary games for CCA2-, CCA1- and CPA-security for conventional public key encryption schemes. The difference in the challenge step in the ordinary games is that A only is allowed to choose two elements π 0, π 1 P (and not two t-tuples for a circuit C with t inputs) and receives an element ψ (and not a t-tuple) as the answer. We say that an adversary wins Game Hom-X-IND E for X {CCA2, CCA1, CPA} if b = b, and by Pr[b = b] we denote the probability for this event. Definition 1.15 (Advantage in Homomorphic Encryption). We define adversary A s advantage in Game Hom-X-IND E to be Adv Hom-X-IND A,E := Pr[b = b] 1 2, where Pr[b = b] is the probability for A to win Game Hom-X-IND E the randomness used by the challenger and the adversary). (the probability is over Roughly speaking, A s advantage is the difference between A s method and just guessing the correct value of b. Definition 1.16 (Negligible (Function)). A function f : N R is said to be negligible if for every integer c > 0 there exists a positive integer n c such that for all integers n > n c we have f(n) < 1 n c. Otherwise we call f non-negligible. For negligible f we write f(x) ε(x), for non-negligible f(x) ε(x). We now can define the security notions: Definition 1.17 (CCA2-, CCA1- and CPA-IND). A homomorphic encryption scheme E is X-IND for X {CCA2, CCA1, CPA}, if no probabilistic polynomial-time adversary A wins Game Hom-X-IND E with non-negligible advantage (in the security parameter λ), i.e. ε(λ). Adv Hom-X-IND A,E By simply writing semantically secure we mean secure in the CPA-IND sense. Homomorphic Signatures Definition 1.18 (Homomorphic Signature Scheme). A homomorphic signature scheme consists of the following four algorithms: Setup(1 n, t). On input the security parameter n and a data set size t, this randomised algorithm generates the secret key sk and public key pk and outputs the tuple (sk, pk). (The public key defines the message space M, the signature space and also the set F of allowed functions f : M t M with t inputs.) 10

1.3 Security Models Sign(sk, τ, i, πi τ ). On input a secret key sk, a tag τ {0, 1}n, an index i and a message πi τ, this randomised algorithm outputs a signature στ i. Verify(pk, τ, πi τ, στ i, f). On input a public key pk, a tag τ, a message πτ i, a signature σi τ and a function f F, this algorithm either outputs 0 (for rejection) or 1 (for acceptance). Evaluate(pk, τ, f, Σ τ ). On input a public key pk, a tag τ, a function f F and a signature tuple Σ τ = (σ1 τ,..., στ t ), this (possibly randomised) algorithm outputs a signature σ. Like for homomorphic encryption, the first three algorithms are (nearly) identical to those of a conventional public key signature scheme. The difference here the inclusion of a tag τ, an index i and a function f will become obvious: With the tag τ {0, 1} n we distinguish between different data sets Σ τ as input to the function f, the signature computed by the Sign-algorithm will require the presence of the index i, and the Verifyalgorithm will need a representation of f to do its job properly. The correctness-condition for conventional public key signature schemes must obviously be fulfilled for the converted algorithms Sign and Verify including the projection maps p i (π τ 1,..., πτ t ) := π τ i. This means that F at least contains all projection maps p i. The additional algorithm Evaluate informally does the following: If Σ τ consists of honestly created signatures σ τ i = Sign(sk, τ, i, πτ i ) for messages πτ i, then Evaluate(pk, τ, f, Στ ) shall return a signature σ corresponding to the message f(π τ 1,..., πτ t ) for a function f F. In addition to the correctness-condition for Sign and Verify, the one for Evaluate can be formulated as Verify(pk, τ, f(π τ 1,..., π τ t ), Evaluate(pk, τ, f, Σ τ ), f) = 1 for Σ τ = (σ1 τ,..., στ t ), σi τ = Sign(pk, τ, i, πτ i ) and for all f F. Definition 1.19 (Homomorphic with respect to F / F-Homomorphic). If all these conditions are satisfied for an allowed set F of functions, then the signature scheme S correctly evaluates F and is called F-homomorphic (or homomorphic with respect to F). Remark. There is one risky point in our definitions so far: The Evaluate-algorithm can create a signature σ from signatures Σ = (σ 1,..., σ t ) which themselves are obtained by Evaluate. Repeating this procedure several times, we could reach the point where the input signatures are valid, but the output signature of Evaluate is not. This is due to the fact that the noise in the aggregated signature becomes too large and thus the Evaluate-algorithm is no longer able to do its job properly. To keep it simple, we restrict the correctness-property of Evaluate to hold when the input signatures are fresh signatures created by Sign. 11

1 PRELIMINARIES Security Definitions for Homomorphic Signatures Definition 1.20 (Game Hom-CMA-UNF S ). Setup. The challenger B generates a tuple (sk, pk) R Setup(1 n, t) and gives the public key pk to the forger A. Query-Rounds. A sends adaptively-chosen signature-queries about message tuples Π i := (π1 i,..., πi t) to B. The challenger randomly chooses a tag τ i R {0, 1} n and sends the tag τ i and the signature tuple Σ τ i including the signatures σ τ i j = Sign(sk, τ i, j, πj i) back to A. (Note that B does not have to compute Evaluate(pk, τ, f, Σ τ ) since A can do this step on its own after it receives the signature tuple Σ τ.) Attempt. At the end, the forger A outputs a tag τ {0, 1} n, a message π, a function f and a signature σ. We say that the forger A wins in Game Hom-CMA-UNF S, if Verify(pk, τ, π, σ, f) = 1 and either Type-1 forgery. τ τ i for all queried i, or Type-2 forgery. τ = τ i for some i and π f(π i ). Definition 1.21 (Advantage in Homomorphic Signatures). We define forger A s advantage in Game Hom-CMA-UNF S to be Adv Hom-CMA-UNF A,S := Pr[Verify(pk, τ, π, σ, f) = 1], where Pr[Verify(pk, τ, π, σ, f) = 1] is the probability for A to win in Game Hom-CMA-UNF S (the probability is over the randomness used by the challenger and the forger). Definition 1.22 (CMA-UNF). A homomorphic signature scheme S is CMA-UNF, if no probabilistic polynomial-time forger A wins Game Hom-CMA-UNF S with non-negligible advantage (in the security parameter n), i.e. Adv Hom-CMA-UNF A,S ε(n). 12

2. Homomorphic Encryption Schemes In this section we want to describe the process that was made on (fully) homomorphic encryption schemes. The schemes published so far can be categorised in two parts. We start by introducing the lattice-based schemes. 2.1. Lattice-Based Encryption Schemes Though there were many (ordinary) lattice-based encryption schemes like the one of Goldreich, Goldwasser and Halevi (cf. [26]), Ajtai and Dwork (cf. [2]), the fast NTRU cryptosystem (cf. [29]), and cryptosystems based on the learning with errors -problem introduced by Regev (cf. [42]), the problem of a fully homomorphic encryption scheme was not solved until the breakthrough of Gentry in [20]. We will start by showing Gentry s techniques for obtaining a fully homomorphic encryption scheme based on ideal lattices, since it is a very important foundation for the work of Gentry and others, and then present further work that improves the proposed scheme or adapts the techniques and uses them in a similar way. Gentry s Fully Homomorphic Scheme Gentry s most important steps can be described briefly as follows: After constructing an abstract and a somewhat homomorphic encryption scheme, Gentry squashes the decryption circuit and by bootstrappability obtains a fully homomorphic scheme. Abstract Scheme. Gentry starts with a definition of an abstract scheme using rings and ideals, omitting instantiation details at first. His scheme is as follows (additional remarks appear after the description): KeyGen(R, B I ). On input a ring R and the basis B I of an ideal I, this randomised algorithm generates via (BJ sk, Bpk J ) R IdealGen(R, B I ) two bases for an ideal J and outputs the public key pk = (R, B I, B pk J, Samp) and secret key sk = (pk, Bsk J ). Encrypt(pk, π). On input a public key pk and a plaintext π, this algorithm generates ψ Samp(B I, π) and outputs ψ := ψ mod B pk J. Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ, this algorithm outputs π := ψ mod BJ sk mod B I = ψ BJ sk B sk J ψ mod B I. Evaluate(pk, C, Ψ). On input a public key pk, a circuit C with t inputs (of some special set C of allowed circuits) and a set of t ciphertexts Ψ = (ψ 1,..., ψ t ), this algorithm invokes the evaluation of the embedded additions (ψ i + ψ j ) mod B pk J and multiplications (ψ i ψ j ) mod B pk J in the circuit C in the right order to obtain a ciphertext ψ which it outputs. Remarks. 1. The plaintext space is (a subset of) R mod B I. 2. The (randomised) algorithms IdealGen and Samp remain abstract, but roughly speaking IdealGen(R, B I ) constructs a secret and public basis for an ideal J coprime to the input ideal I and Samp(B I, x) samples the coset x + I. 13

2 HOMOMORPHIC ENCRYPTION SCHEMES 3. Gentry describes how to construct C, the set of allowed (or permitted) circuits, and proves that this abstract scheme is correct for C. Gentry also proves that this abstract scheme E is semantically secure if the ICP is hard: Theorem 2.1 ([20], Theorem 5.3.1). Suppose that there is an algorithm A that breaks the semantic security of (the abstract scheme) E with advantage ε when it uses Samp. Then, there is an algorithm B, running in about the same time as A, that solves the ICP with advantage ε/2. Somewhat Homomorphic Scheme. Gentry s somewhat homomorphic encryption (SHE) scheme bases on the abstract scheme and is instantiated with ideal lattices, thus becoming a semi-concrete scheme (some details remain abstract). His motivation for using ideal lattices is that they not only have an additive, but also have a multiplicative structure that will enable us to evaluate deep arithmetic circuits (though we will need more tricks before we ultimately obtain a bootstrappable scheme). Bootstrappability means the scheme s ability of homomorphically evaluating augmented decryption circuits. Therefore, he geometrically interprets the sets of encryptable and decryptable elements as balls with some radii r Enc and r Dec, and in Theorem 7.3.2 states the bound log log r Dec log log(γ r Enc ) on the depth of correctly evaluable circuits. After that, Gentry proposes instantiations for the underlying ring, for the Encrypt- and Decrypt-algorithms (thus, also values for r Dec and r Enc ), and in Section 7.7 he states that this instantiation of the abstract scheme is semantically secure if the underlying decisional bounded distance decoding problem (DBBDP) is hard. (In his words the ICP becomes the DBDDP if instantiated with ideal lattices.) Although this scheme is the first concrete one, keep in mind that some algorithms still remain abstract. Tweaks. Before Gentry comes to his squashing-technique, he applies two tweaks to the somewhat homomorphic scheme: 1. At first, he redefines the decryption equation to π = ψ vj sk ψ mod B I for a short vector vj sk J 1. By this Gentry simplifies the equation and reduces the computational complexity (he also lowers the range of decryptable elements). 2. The second tweak is to halve the radius r Dec of the ball B(r Dec ) of decryptable elements. This is done for the purpose of reducing the circuit complexity of the Decrypt-algorithm, since reducing r Dec by half ensures vectors to be closer to J and the decryption-process will need less precision. The second tweak is especially slightly more complicated, since several different techniques are applied. Therefore, the decryption equation π = ψ BJ sk (B sk J ) 1 ψ mod B I is split into and computed in three steps: 14

2.1 Lattice-Based Encryption Schemes I. Generate n vectors x 1,..., x n with n i=1 x i = (BJ sk) 1 ψ. II. From x 1,..., x n generate integer vectors y 1,..., y n+1 with n+1 i=1 y i = n i=1 x i. III. Compute π = ψ BJ sk ( n+1 i=1 y i) mod B I. It shall only be mentioned here that step I will be eliminated by the squashing-technique (i.e. transferred to the encrypting party), for step II only O(log n) bits of precision for the rational vectors x i are required when using Karp s 3-for-2-trick (cf. [31]), the computation of y i can be boosted using elementary symmetric polynomials, and in step III the computation can be done in constant depth (using a polynomial fan-in circuit). For further details see Section 9 in [20]. Squashing the Decrypt-Algorithm. The squashing-technique is as follows: The owner of the secret key sk adds a hint of sk inside the public key pk after creating the key-pair, which the encrypting party then uses in its (extended) computation. Thanks to Tweak 1, the secret key consists of the vector vj sk and the decryption equation is π = ψ vj sk ψ. Using the somewhat homomorphic scheme, one adds the following algorithms: SplitKey(sk, pk ). On input sk, which either is a secret key sk of the somewhat homomorphic scheme or the special symbol, and a public key pk of the somewhat homomorphic scheme, this algorithm outputs the tuple (sk, T ) where: 1. T is a set of t vectors v 1,..., v t uniformly random in J 1 mod B I with the constraint that there exists a subset S {1,..., t} with S = s such that i S v i vj sk + I. 2. sk is a matrix encoding which elements of T are elements of S. ExpandCT(pk, ψ ). On input a public key pk (which includes the set T = (v 1,..., v t )) and a ciphertext ψ of the somewhat homomorphic scheme, this algorithm outputs c i := v i ψ mod B I for i = 1,..., t. Making use of these two new methods, the algorithms for the squashed scheme have to be slightly adjusted: KeyGen(λ). Run the KeyGen-algorithm of the somewhat homomorphic scheme to obtain (sk, pk ) and run (sk, T ) SplitKey(sk, pk ). The secret key is sk, the public key pk = (pk, T ). Encrypt(pk, π). Run the Encrypt-algorithm of the somewhat homomorphic scheme using pk to obtain ψ, run ExpandCT(pk, ψ ) to receive the expansion (c 1,..., c t ) of ψ and output ψ = (ψ, c 1,..., c t ). Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ of the form ψ = (ψ, c 1,..., c t ), this algorithm performs the following steps: i. Generate the vectors x i using sk and the c i s. ii. Proceed with step II, and iii. Proceed with step III of the decryption equation like on page 14. Add(pk, ψ 1, ψ 2 ). Extract the ciphertexts ψ 1, ψ 2 from ψ 1, ψ 2, run the Add-algorithm of 15

2 HOMOMORPHIC ENCRYPTION SCHEMES the somewhat homomorphic scheme to obtain ψ, run ExpandCT on ψ and output (ψ, c 1,..., c t). Analogue steps are done for Mult. Remark. An easy way to generate T would be to generate t 1 uniform vectors v i in J 1 P (B I ), set v t := vj sk s i=1 v i and permute the resulting t vectors. The security of the squashed scheme relies on the hardness of the SKDP: Theorem 2.2 ([20], Theorem 10.1.2). Suppose that there is an algorithm A that breaks the semantic security of (the squashed scheme) E above with advantage ε. Then, there exist algorithms B 0 and B 1, running in about the same time as A, such that either B 0 s advantage against the SplitKey Distinguishing Problem or B 1 s advantage against the semantic security of (the somewhat homomorphic scheme) E is at least ε/3. Gentry proves the security for the abstract version of the squashed scheme, using an abstract version of the SplitKey Distinguishing Problem (as stated in Definition 1.7). The proof easily carries over to a semi-concrete version of the squashed scheme based on the concrete instantiation of the SplitKey-algorithm as defined above. This semi-concrete version can be proven secure if the SSSP is hard: Theorem 2.3. Let A be an algorithm that decides the concrete version of the SKDP with advantage ε, and let B I and IdealGen be such that det(i) and det(j) are distinct primes and q/ det(ij) is super-polynomial (in the security parameter). Then, there is an algorithm B, running in about the same time as A, that decides the SSSP with advantage ε/(4t) up to negligible factors. Proof. The proof is just the combination of the proofs of Theorems 11.1.3 and 11.1.5 in [20]. There, an intermediate problem, namely the sparse vector subset sum problem, is introduced, which is needed for the reduction SSSP SVSSP SKDP to work. In addition, Gentry proves that the squashed scheme is hard if the search version of the SSSP is hard (Theorem 11.1.7). Fully Homomorphic Encryption Scheme. The only question, which remains unanswered up to now, is: For which parameters is the proposed semi-concrete squashed scheme bootstrappable, or how can we choose the parameter s for the SSSP to be hard while still maintaining bootstrappability (the ability of homomorphically evaluating augmented decryption circuits)? Theorem 2.4 ([20], Theorem 10.3.1). The (semi-concrete) scheme E is bootstrappable when s log c 1 s log(r Dec/m) 2 c 2 log(γ renc ), where log c 1 s is the polylog-term arising in Lemma 9.0.3, m arises from the redefinition of C E in the Tweaks (m = 2 when just Tweak 2 is used), and c 2 is a constant representing the depth needed in a circuit having Add BI gates with γ = n Ω(1) fan-in and Mult BI gates with constant fan-in to sequentially perform Decrypt steps i, iii and a NAND gate. 16

2.1 Lattice-Based Encryption Schemes Name Remaining abstract Instantiated (accumulative) Abstract Rings, ideals, ICP, encryption, decryption, key generation,... Somewhat homomorphic Key generation Ring, ideals ideal lattices, encryption, decryption, ICP BDDP Squashed Key generation, SKDP Semi-concrete Key generation SKDP Fully homomorphic Key generation (SampleD) Table 1: Overview of Gentry s Schemes After giving some optimizations to the squashed scheme, Gentry describes a concrete scheme, instantiating the remaining abstract methods: For the Sample-algorithm Gentry makes use of the SampleD-algorithm proposed by Gentry, Peikert and Vaikuntanathan in Section 3.2 (especially Theorem 3.3) in [25] which uses discrete Gaussian sampling. We call this instantiation Gentry s Fully Homomorphic Scheme. Gentry also proves the security of his fully homomorphic scheme, basing it on the IIMP: Theorem 2.5 ([20], Theorem 14.3.2). Let s IIMP = G/ 2 where G := B I ω( log n) is the Gaussian deviation parameter in (Gentry s fully homomorphic) encryption scheme E, and suppose that s IIMP / 2 exceeds the smoothing parameter of I, i.e. ρ 2/s IIMP (I 1 \{0}) is negligible. Suppose that there is an algorithm A that breaks the semantic security of E with advantage ε. Then, there is an algorithm B, running in about the same time as A, that solves the IIMP with advantage ε/2 (up to negligible factors). Finally, Gentry finishes his investigation of the security of the scheme by proposing a (quantum-)reduction from SIVP to IVIP, hopping over four intermediate problems. Summarizing all results, this gives Theorem 2.6. Suppose that d ISIVP = (3 e) 1/n d IVIP s IVIP s HBDDP s HBDDP /(n 1.5 f ) 2 (s MIIMP 2n B I )/(γ n) s MIIMP s IIMP s IIMP ε/(n max{ B I }) G/ 2 17

2 HOMOMORPHIC ENCRYPTION SCHEMES where G is the Gaussian deviation parameter in (Gentry s fully homomorphic) encryption scheme E, e is Euler s constant and s IVIP > 8 γ n 2.5 ω( log n) for all ideals with determinant at least d n IVIP. Also suppose that s IIMP exceeds the smoothing parameter of I, that IdealGen always outputs an ideal J with G n < λ 1 (J) and that [R : I] is prime. Finally, suppose that there is an algorithm that breaks the semantic security of E with advantage ε. Then, there is a quantum algorithm B that solves s ISIVP -SIVP for an ε/4 (up to negligible factors) weight fraction of bases output by IdealGen. The running time of B is O([R : I] 1/ε log d IVIP time(a)). Proof. The proof for this theorem consists of using Theorems 14.3.2 (Theorem 2.5), 14.4.2, 14.5.2, 14.6.2, 19.2.4 and 19.2.3 of [20] for creating the reduction queue SIVP ISIVP IVIP HBDDP MIIMP IIMP E sem. secure and thereby obtaining the abovementioned results. Remarks. 1. Gentry applies a random self-reduction to obtain a worst-case/averagecase connection for ideal lattices and to base the scheme s security on the worst-case hardness of SIVP to get more confidence that the scheme is secure. 2. In Section 18 Gentry describes how to adapt Kalai s algorithm to generate a random factored ideal and how to instantiate some (sub-) methods of the KeyGen-algorithm properly. Suggested Parameters for Gentry s Scheme. To provide resistance for the BDDP against lattice attacks (which run in time approx. 2 n/s for subset size s), the SSSP to be resistant against birthday attacks and lattice attacks (which run in time approx. 2 s if t is chosen large enough, e.g. t Ω(log q)), Gentry proposes to make use of the following parameters: s λ, n λ 2, log q λ 3 and t λ 3, where λ is the security parameter of the scheme. Improvements and Adaptions This subsection is intended to give an overview of work that bases on Gentry s constructions and improves them or adapts them in a similar way. Specialization of Gentry Smart and Vercauteren s construction in [47], presented at PKC 10, adapts Gentry s technique to build a fully homomorphic scheme from a somewhat homomorphic one. In particular, the scheme is a specialization of Gentry s scheme. Their somewhat homomorphic scheme has the plaintext space {0, 1}, the ring R in use is Z[x]/(f(x)) with the monic and irreducible polynomial f(x) = x 2n + 1, which minimises the expansion factor γ, the public key is a tuple (p, a) consisting of the prime p = res(f, g) and the (unique) root a F p of gcd(f, g) for some polynomial g over F p [x], and the secret key consists of (p, b) with b being the coefficient of x 0 in g s inverse polynomial modulo 18

2.1 Lattice-Based Encryption Schemes f(x) and 2p. For further details we refer the reader to [47], Section 3.1, in which it is compactly described how the polynomials and additional variables are chosen and how the algorithms of the scheme are computed. In Section 3.2 the proposed algorithms are analysed in detail in the sense of correctness and evaluation-depth d of the circuits for the somewhat homomorphic scheme. Therein, Smart and Vercauteren use Gentry s Theorem 7.3.2 to obtain a bound on d, but one has to be careful since Gentry s analysis uses the 2-norm whereas Smart and Vercauteren make use of the -norm. For the security analysis of their scheme in Section 4 they introduce two new problems: The first problem, called Small Principal Ideal Problem (SPIP), asks to find a small generator for a principal ideal when given a two-element- or a HNF-representation. (This problem evolves when one tries to recover the secret from the public key, so called Key Recovery.) They only informally argue that no efficient solution for this problem can be found that is reasonably small, relying on the Baby-Step/Giant-Step method and Buchmann s sub-exponential algorithm for units and class groups, even though the SPIP is an instance of a classical and well studied problem in algorithmic number theory. The second problem, called Polynomial Coset Problem (PCP), is similar to Gentry s ICP and asks one to decide whether the value of r is the evaluation of a small polynomial in the root a or a random value (both taken mod p). Theorem 2.7. ([47], Theorem 1) Suppose there is an algorithm A which breaks the semantic security of our somewhat homomorphic scheme with advantage ε. Then there is an algorithm B, running in about the same time as A, which solves the PCP with advantage ε/2. They also informally argue that recovering a plaintext from a given ciphertext would be an instance of the CVP. They are unable to apply a worst-case/average-case reduction to their scheme, but state that the underlying lattice problem is well-studied. The encryption of a single bit with the established somewhat homomorphic scheme is then extended to a larger message space. The authors are able to encrypt and decrypt polynomials up to degree 2 n 1. Roughly speaking, they expand the secret key to be a vector of coefficients b i rather than a single coefficient b. For details on this extension see Section 6 of [47]. At the end one is given implementation results. There one can see that the scheme of Smart and Vercauteren in [47] cannot be made fully homomorphic for practical values of n. Furthermore it should be mentioned that their KeyGen-method has a disadvantage concerning time complexity, since the constraint until p is prime is very strict and entails a high number of iterations until it is satisfied. So we see that although Smart and Vercauteren s scheme is a specialization of Gentry s scheme and they obtain relatively small key and ciphertext sizes, there also are disadvantages in the practicality of this scheme. 19